Fraud detection database

ABSTRACT

Embodiments of techniques or systems for fraud detection are provided herein. A communication may be received where the communication includes one or more voice signals from an individual. Frequency responses associated with these voice signals may be determined and analyzed and utilized to determine whether or not potential fraudulent activity is occurring. For example, if a frequency response is greater than a frequency threshold, potential fraudulent activity may be determined. Further, frequency responses may be cross referenced with voice biometrics, voice printing, or fraud pathway detection results. In this way, voice stress or frequency responses may be utilized to build other databases related to other types of fraud detection, thereby enhancing one or more aspects of fraud detection. For example, a database may include a voice library, a pathway library, or a frequency library which include characteristics associated with fraudulent activity, thereby facilitating identification of such activity.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S.Non-Provisional patent application Ser. No. 14/221,590 entitled “FRAUDDETECTION”, filed on Mar. 21, 2014. The entirety of the above-notedapplication is incorporated by reference herein.

BACKGROUND

Generally, voice stress may be utilized in an interview process whereindividuals are face to face with an interviewer. For example, aninterview between an interviewer and an interviewee may be conducted inperson. Voice stress may be employed or in use with various levels offederal, state, or local law enforcement, investigative units of publiccompanies or private companies, domestic entities, foreign entities,etc. However, voice stress is generally limited to use in an in-personsetting where a person conducting the interview is face to face with anindividual being questioned or interrogated.

Perpetrators or fraudsters often phone in, call in, or initiatecommunications with institutions, such as financial institutions tosteal personal information or financial information from a victim,account owner, etc. Effectively, fraudsters (e.g., someone other than anauthorized user, legitimate customer, or account owner) may falsify ormisrepresent data for the purpose of effecting one or more actions foran account associated with an account owner by impersonating, posing, oracting as the individual purported to be the owner of the account oraccount owner. Accordingly, if the perpetrators or fraudsters are notcaught, fraud by deception may occur when a fraudster calls into a callcenter and passes security verification, thereby proceeding with one ormore fraudulent actions.

Fraudulent actions may include actions for an account takeover (ATO),falsifying or misrepresenting information related to account ownership,misrepresentation of assets, misrepresentation of a relationship,misrepresentation of use of an account, misrepresentation of the calleras an employee of a trusted organization (e.g., a financial institution,etc.), misrepresenting a legitimate use or need for information oractions requested, identity theft, identity fraud, fraudulentapplication for financial instrument (e.g., credit card), etc.

BRIEF DESCRIPTION

This brief description is provided to introduce a selection of conceptsin a simplified form that are described below in the detaileddescription. This brief description is not intended to be an extensiveoverview of the claimed subject matter, identify key factors oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

One or more embodiments of techniques or systems for fraud detection areprovided herein. A communication may be received which includes one ormore segments with one or more voice signals of an individual. One ormore of the voice signals may be analyzed for one or more frequencyresponses (e.g., the frequency at which the individual's vocal cordsvibrate during a segment of the communication). It may be determinedwhether the individual is attempting fraudulent activity based on acomparison between one or more of the frequency responses and afrequency threshold or a comparison between two or more of the frequencyresponses.

In one or more embodiments, fraud detection may be implemented byutilizing voice biometrics, voice printing, etc. For example, a databasemay include a voice library which includes one or more voice signalsfrom individuals deemed to be fraudsters. To this end, one or more ofthe voice signals from the communication may be compared against one ormore of the voice signals from the voice library to determine whether ornot a match exists. When a match exists, actions may be taken tomitigate losses, an account takeover (ATO), or potentially fraudulentactions.

Additionally, fraud pathway detection may be implemented by detecting ordetermining one or more characteristics associated with a communication.For example, characteristics associated with the communication may beindicative of a technology associated with a communication, artifactsassociated with the communication, or noise associated with thecommunication. One or more of the characteristics associated with thecommunication may be utilized to generate reverse lookup data or reversepath data for the communication. In other words, information about thecaller, individual, communication, etc. may be determined or tracedbased on available information. For example, a reverse lookup for a callplaced through a voice over internet protocol (VoIP) channel may beresolved by determining an internet protocol (IP) address for acorresponding domain. One or more of these characteristics may becompared with one or more sets of characteristics in a pathway library.The pathway library may include one or more sets of characteristicswhich are deemed to be associated with fraudulent communication. To thisend, when a match occurs, action may be taken to mitigate losses orpotential fraudulent activity.

In one or more embodiments, voice stress analysis (VSA) may beimplemented to determine whether a communication is fraudulent or not.For example, different segments of a communication may be examined oranalyzed to determine whether or not a frequency discrepancy existsbetween two or more segments of the communication. In one or moreembodiments, a frequency determination which indicates potentialfraudulent activity may be generated when one or more segments of thecommunication is associated with a frequency which is greater than afrequency threshold, for example.

As an example, a first segment of the communication may include aconversation segment which may include one or more requests associatedwith an account (e.g., access to the account, changes to the account,actions to be taken, etc.). A second segment of the communication mayinclude a verification segment, which may include one or more securityquestions, one or more stress questions, one or more test questions, andone or more responses thereto. It may be expected that an individual whois a fraudster may respond with one or more responses associated with ahigher frequency responses to the stress questions, test questions,security questions, etc. due to the risk of being detected, exposed,etc. Because of this, voice stress may be applied to a livecommunication or a recorded communication to determine whether atransaction initiated by an individual is fraudulent.

One or more database libraries (e.g., a voice library, a frequencylibrary, a pathway library, etc.) may be updated when disparities occurbetween different comparisons. For example, when VSA is implemented andit is determined that an individual may be conducting a fraudulenttransaction based on a frequency response (e.g., greater than afrequency threshold), the voice library may be updated with one or morevoice signals or one or more voice samples from the communication tosupplement one or more existing voice samples or to create a newidentity or profile for a new fraudster. In this way, one or more ofvoice biometrics, pathway analysis, or VSA may be utilized tocross-reference, cross-check, sharpen, or enhance one or more of theother two.

The following description and annexed drawings set forth certainillustrative aspects and implementations. These are indicative of but afew of the various ways in which one or more aspects are employed. Otheraspects, advantages, or novel features of the disclosure will becomeapparent from the following detailed description when considered inconjunction with the annexed drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Aspects of the disclosure are understood from the following detaileddescription when read with the accompanying drawings. Elements,structures, etc. of the drawings may not necessarily be drawn to scale.Accordingly, the dimensions of the same may be arbitrarily increased orreduced for clarity of discussion, for example.

FIG. 1 is an illustration of an example application of a system forfraud detection, according to one or more embodiments.

FIG. 2 is an illustration of an example system for fraud detection,according to one or more embodiments.

FIG. 3 is an illustration of an example flow diagram of a method forfraud detection, according to one or more embodiments.

FIG. 4 is an illustration of an example flow diagram of a method forfraud detection, according to one or more embodiments.

FIG. 5 is an illustration of an example flow diagram of a method forfraud detection, according to one or more embodiments.

FIG. 6 is an illustration of an example flow diagram of a method forfraud detection, according to one or more embodiments.

FIG. 7 is an illustration of an example computer-readable medium orcomputer-readable device including processor-executable instructionsconfigured to embody one or more of the provisions set forth herein,according to one or more embodiments.

FIG. 8 is an illustration of an example computing environment where oneor more of the provisions set forth herein are implemented, according toone or more embodiments.

DETAILED DESCRIPTION

Embodiments or examples, illustrated in the drawings are disclosed belowusing specific language. It will nevertheless be understood that theembodiments or examples are not intended to be limiting. Any alterationsand modifications in the disclosed embodiments, and any furtherapplications of the principles disclosed in this document arecontemplated as would normally occur to one of ordinary skill in thepertinent art.

For one or more of the figures herein, one or more boundaries, such asboundary 814 of FIG. 8, for example, may be drawn with differentheights, widths, perimeters, aspect ratios, shapes, etc. relative to oneanother merely for illustrative purposes, and are not necessarily drawnto scale. For example, because dashed or dotted lines may be used torepresent different boundaries, if the dashed and dotted lines weredrawn on top of one another they would not be distinguishable in thefigures, and thus may be drawn with different dimensions or slightlyapart from one another, in one or more of the figures, so that they aredistinguishable from one another. As another example, where a boundaryis associated with an irregular shape, the boundary, such as a box drawnwith a dashed line, dotted lined, etc., does not necessarily encompassan entire component in one or more instances. Conversely, a drawn boxdoes not necessarily encompass merely an associated component, in one ormore instances, but may encompass a portion of one or more othercomponents as well.

As used herein, the term to “infer” or “inference” refer generally tothe process of reasoning about or inferring states of the system,environment, and/or user from a set of observations as captured viaevents and/or data. Inference may be employed to identify a specificcontext or action, or may generate a probability distribution overstates, for example. The inference may be probabilistic. The computationof a probability distribution over states of interest based on aconsideration of data and events. Inference may also refer to techniquesemployed for composing higher-level events from a set of events and/ordata. Such inference results in the construction of new events oractions from a set of observed events and/or stored event data, whetheror not the events are correlated in close temporal proximity, andwhether the events and data come from one or several event and datasources.

One or more aspects may employ various AI-based schemes for carrying outvarious aspects thereof. For example, a process or system may befacilitated via utilization of an automatic classifier. For example,when a conversation segment is determined, a classifier may be employedto facilitate such a determination. A classifier may be a function thatmaps an input attribute vector, x=(x1, x2, x3, x4, xn), to a confidencethat the input belongs to a class, that is, f(x)=confidence (class).Such classification may employ a probabilistic and/or statistical-basedanalysis (e.g., factoring into the analysis utilities and costs) toprognose or infer an action that a user desires to be automaticallyperformed.

A support vector machine (SVM) is an example of a classifier that may beemployed. The SVM operates by finding a hypersurf ace in the space ofpossible inputs, which the hypersurface attempts to split the triggeringcriteria from the non-triggering events. Intuitively, this makes theclassification correct for testing data that is near, but not identicalto training data. Other directed and undirected model classificationapproaches include, e.g., naïve Bayes, Bayesian networks, decisiontrees, neural networks, fuzzy logic models, and probabilisticclassification models providing different patterns of independence maybe employed. Classification as used herein also is inclusive ofstatistical regression that is utilized to develop models of priority.

As will be readily appreciated from the subject specification, one ormore embodiments may employ classifiers that are explicitly trained(e.g., via a generic training data) as well as implicitly trained (e.g.,via observing user behavior, receiving extrinsic information). Forexample, SVMs may be configured via a learning or training phase withina classifier constructor and feature selection module. Thus, theclassifier(s) may be used to automatically learn and perform a number offunctions, including but not limited to determining according to apredetermined criteria.

FIG. 1 is an illustration of an example application 100 of a system forfraud detection, according to one or more embodiments. Accordingly, oneor more embodiments of techniques or systems for fraud detection,enhanced, fraud detection, or updating associated databases or librariesare provided herein. As an example, a communication 110 may be receivedfrom an individual 102. A communication 110 may include a call, atelephone call, a phone conversation, a conversation, one or more voicesignals, one or more voice signatures, one or more audio signals, one ormore audio signatures, a transaction, voice communications, multimediacontent, etc. Further, a communication 110 may be a communicationinitiated by an individual which is inbound (e.g., incoming as to a callcenter, for example) or outbound (e.g., when a call center offers acallback service, etc.). Additionally, a communication 110 may include aconversation between one or more individuals, one or more entities, oneor more parties, a caller and a recipient of a call, etc.

It will be appreciated that an individual 102 may utilize one or moredifferent types of devices to communicate. For example, the individualmay utilize a mobile device 104 to facilitate communication. In one ormore embodiments, the communication 110 may be implemented acrossdifferent channels, such as a voice over internet protocol (VoIP)channel, telephony, one or more telecommunication channels 106, alandline, a mobile line, satellite communications, or otherwise transmitvoice data between two or more parties (e.g., the individual 102 andanother party, such as CSR 108C). It will be appreciated that thecommunication may include aspects from the individual 102 with relationto a telecommunication channel 106 or from a party (e.g., CSR 108C) totelecommunication channel 106.

Generally, one or more of the voice signals or voice signatures of acommunication 110 is of an individual who has at one time or anotherinitiated a communication 110 or a request with an institution, such asa financial institution, bank, etc. In one or more scenarios, one ormore additional voice signals of a communication 110 may be from arepresentative, such as a customer service representative (CSR) 108A,108B, or 108C, for example. In other scenarios, the communication 110may be between the individual and an interactive voice response (IVR)system where there may be no need for CSR 108A, 108B, or 108C. Here, inthese scenarios, the communication 110 may merely include voice signalsof the individual (e.g., and/or voice signals of pre-recorded promptsfrom the IVR, etc.), for example.

In one or more embodiments, one or more aspects or one or morecharacteristics of the communication 110 may be received by a system forfraud detection 200 which may utilize one or more portions of thecommunication to facilitate fraud detection. For example, one or morevoice responses from one or more segments of the communication may besegmented, divided, or analyzed. In one or more embodiments, frequencyresponses for one or more of the segments may be analyzed to determinewhether or not potential fraudulent activity is occurring. This analysismay be based on whether one or more of the frequency responses exceeds(or is below) a frequency threshold or whether a delta frequency betweentwo or more of the frequency responses is greater than a delta frequencythreshold.

Additionally, the system 200 may supplement the frequency responseanalysis or the VSA with voice biometrics or fraud pathway detection,which will be described in greater detail herein. According to one ormore aspects, one or more databases or libraries (e.g., associated withthe system 200) may be updated according to one or more aspects orcharacteristics of the communication 110 to enhance fraud detection orcross-reference one or more different types of fraud detection.

FIG. 2 is an illustration of an example system 200 for fraud detection,according to one or more embodiments. The system 200 may include acommunications component 210, a database component 220, a monitoringcomponent 230, a detection component 240, an analysis component 250, anda fraud component 260. However, it will be appreciated that according toone or more aspects, the system 200 may be implemented or practicedwithout one or more of the components.

In one or more embodiments, the communications component 210 may beutilized to initiate or receive a communication (e.g., 110 of FIG. 1).The monitoring component 230 may receive one or more portions or one ormore segments of a communication. For example, a communication mayinclude one or more portions or one or more segments. A segment of oneor more of the segments may be an exchange between a caller, anindividual (who may be a fraudster or a legitimate account owner) and arecipient of the call, receiver, customer service representative (CSR),call center representative, employee, etc. Generally, a segment mayinclude one or more voice signals associated with an individual (e.g.,the individual calling into the institution). Often, a segment may alsoinclude one or more additional voice signals associated with a secondindividual (e.g., CSR, employee, etc.).

The monitoring component 230 may record or identify one or more segmentsof a communication. For example, the monitoring component 230 mayidentify, determine, or tag one or more segments of a communication or acall as a salutation segment, a verification segment, a conversationsegment, a summary segment, etc. As an example, a communication mayinclude a salutation segment, a verification, a conversation segment, ora summary segment. The salutation segment may include an introduction, acustomary greeting, a greeting, or a brief identification (e.g., “Hello,my name is Mike”). Further, the salutation segment may be at thebeginning of a communication.

A communication may include a verification segment. Often verificationsegments may be identified as including one or more security questions,one or more stress questions, one or more test questions, etc. wheresecurity information (e.g., financial information, personal information,etc.) may be requested from the individual who is communicating with theinstitution (e.g., financial institution, bank, etc.). As an example,the verification segment may include a request for an account number, asocial security number (SSN), the last four digits of a SSN, a name onthe account, authorized users on the account, an address, a hometelephone number, a business telephone number, mother's maiden name,date of birth (DOB), card verification data (CVD), a card verificationnumber (CVN), card verification value (CVV) or (CVV2), card verificationvalue code (CVVC), card verification code (CVC) or (CVC2), verificationcode (V-code), card code verification (CCV), signature panel code (SPC),one or more out of wallet verification questions, knowledge basedauthentication, etc.

Regardless, one or more of the security questions, stress questions, ortest questions may be designed to invoke an expected stress response orfrequency response when an individual providing the response is afraudster or perpetrator. For example, the monitoring component 230 mayprovide a CSR with one or more test questions or security questionsdeemed to invoke a more pronounced stress response or frequency responsebased on a pre-determined pattern or based on experimentation. In otherwords, out of a pool of many stress questions or test questions, themonitoring component 230 may suggest one or more of the stress questionsor test questions associated with higher stress responses fromindividuals which are not authorized account owners. Stated another way,the monitoring component 230 may provide stress questions which haveelicited a desired response from individuals known not to be the accountowners during a training period or an experimental period, for example.

A communication may include a conversation segment, which may includeone or more requests associated with an account of an account owner.When the individual who is calling in or participating in acommunication with an institution is a fraudster or a perpetrator, oneor more of the requests may include requests for fraudulent activity orpotential fraudulent activity. It will be appreciated that an individualmay be a legitimate account owner, a legitimate user, or a legitimatecustomer. However, individuals who are fraudsters, perpetrators,impersonators, etc. may call in posing as an account owner, legitimatecustomer, etc. A request associated with the conversation segment may beindicative of one or more goals which an individual desired to achieveor accomplish. Accordingly, a conversation segment of a communicationmay include one or more voice signals of an individual who is making oneor more requests associated with an account.

For example, an individual (e.g., not necessarily a fraudster) maysubmit a request for one or more actions, such as a change of address,to add or remove an address from an account, to use an alternate address(e.g., business address), order a replacement card, add or changeauthorized users to the account, notify a card issuer or account managerthat they have purchase plans (e.g., “I plan on making several largepurchases over $X”) or travel plans (e.g., “I plan on travelling toItaly”), confirming a previously made order, mail or telephone order,internet order, verify transactions, request emergency funds, transferfunds between accounts, request a balance transfer, make an accountinquiry, report an account lost or stolen, etc. Sometimes, fraudstersmay ‘test’ an account by making a general or balance inquiry. Generally,the conversation segment may be designed to mitigate invoking of stressresponses or frequency responses such that an individual who is afraudster will respond with a response associated with a ‘normal’ or‘expected’ frequency response (e.g., within a frequency tolerance rangeor such that the response does not exceed a frequency threshold, etc.).

A summary segment of a communication may include a summary of one ormore requests, changes, actions to be taken, etc. An operator, CSR, orIVR may ask a caller or an individual if there is anything else thecaller or individual needs help with, offer additional assistance,additional products, etc. To this end a segment of one or more of thesegments of a communication may include one or more questions, one ormore answers, one or more responses, one or more question-answerportions, one or more statements, one or more response statements, etc.Further, it will be appreciated that one or more of the segments may beassociated with an expected stress response or expected frequencyresponse.

For example, the verification segment may be associated with an expectedslightly elevated frequency response in comparison with one or moreother segments of the communication due to the design of one or more ofthe test questions or stress questions. On the other hand, theconversation segment, the introduction segment, or the summary segmentmay be associated with a normal or baseline expected frequency response.In other words, less stress, ‘normal’ frequency responses, or lowerfrequency responses may be expected for these segments. Regardless, themonitoring component 230 may receive, record, or categorize acommunication, one or more segments of a communication, one or moreresponses, one or more statements, one or more voice signals associatedtherewith, etc. made by an individual (e.g., where the individual may bea legitimate account owner or an individual posing as the account owneror a fraudster).

The monitoring component 230 may categorize one or more segments of thecommunication or one or more responses or statements associated with oneor more segments of the communication. In other words, the monitoringcomponent 230 may, for example, tag one or more segments or one or moreportions of a communication or otherwise associate an expected frequencyresponse with one or more of the segments. For example, the monitoringcomponent 230 may identify one or more portions or one or more segmentsof a communication or conversation as an introduction segment, aconversation segment, a verification segment, a summary segment, orother type of segment. Additionally, the monitoring component 230 mayassociate these segments or portions of the communication with one ormore expected characteristics or expected frequency responses. Forexample, when the monitoring component 230 identifies content associatedwith one or more voice signals as introductory (e.g., hi, how are youdoing, etc.), the monitoring component 230 may tag or associate thissegment with an expected frequency response threshold. In this example,the expected frequency response threshold may be higher, lower, ordifferent than an expected frequency response threshold for averification segment.

The monitoring component 230 may tag one or more segments of acommunication as a type of segment or with an expected frequencyresponse based on a rhythm associated with the communication, a partywhich is speaking, one or more procedures or practices of aninstitution, a user input, one or more patterns or speech patterns, apredetermined amount of time, a length of time associated with acontinuous voice signal, voice inflection, etc. Further, the monitoringcomponent 230 may isolate one or more of the voice signals from one ormore segments of the communication (e.g., by applying one or morefilters, performing signal analysis, etc.). In this way, noise may befiltered from one or more segments of the communication or one or moreportions of the communication.

In one or more embodiments, the monitoring component 230 may employvoice biometrics or voice printing by comprising one or more voicesignals from a communication or one or more segments of a communicationagainst one or more voice signals or voice signatures in a voice libraryor voice database of individuals deemed to fraudsters, as will bediscussed herein. The monitoring component 230 may generate a voicematch determination based on a comparison between one or more of thevoice signals of the communication and one or more voice signals, voicesamples, etc. from the voice library. In other words, the monitoringcomponent 230 may scan a voice library of the database component 220 todetermine if a communication is associated with an individual who has avoice matched to a fraud library or voice library.

For example, a voice match determination may be indicative of whether ornot it is believed that an individual is a same individual from thevoice library who has been deemed as a fraudster. In one or moreembodiments, the voice match determination may include a confidencelevel which indicates a likelihood that the individual is the sameindividual (e.g., associated with other fraudulent activity or suspectedof fraudulent activity) as indicated by the voice library. Themonitoring component 230 may scan a communication or a call for knownfraud voice signatures utilizing voice biometrics or voice printtechnology in this manner. Additionally, one or more of the voicesignals from the communication may be utilized to build or supplement avoice library, voice database, or voice print database, such as whenfraudulent activity occurs or is confirmed after the fact (e.g., at alater time after an individual has called in or when fraud occurs whereit is suspected that the individual associated with the communication isassociated with compromising an account).

In one or more embodiments, the monitoring component 230 may facilitateadministration of one or more test questions, one or more securityquestions, control a flow of the conversation, structure acommunication, order of one or more segments of a communication, etc. Ina scenario where an individual is providing responses to questions in aninteractive voice response (IVR) system, the monitoring component 230may playback one or more recordings or one or more recorded testquestions or one or more stress questions as well as receiving orrecording one or more corresponding responses. Further, one or moresegments of a communication or responses taken from an IVR may beassociated with different expected frequency response thresholds thanresponses to stress questions from a live person. For example, it may beexpected that an individual posing as an account owner may experience ahigher amount of stress (and thus respond with or have a higherfrequency response) when responding to questions from a live person thanwhen responding to questions from an automated or recorded system.

Additionally, the monitoring component 230 may facilitate or provide astructure for the communication by controlling an order of one or moresegments of the communication. In one or more embodiments, themonitoring component 230 may control the flow or the structure of thecommunication such that a segment associated with an expected stressfrequency response (e.g., a higher frequency or a greater than afrequency threshold) occurs prior to a segment associated with a normalor baseline frequency response. For example, the monitoring component230 may facilitate asking a test question or a verification segment of aconversation or communication (e.g., and recording a correspondingresponse) prior to asking for a desired action or engaging in theconversation segment of the conversation or communication. Here, in thisexample, a ‘stress’ response may be expected prior to or beforereceiving the ‘normal’ response.

The monitoring component 230 may direct an operator, representative, orcustomer service representative (CSR) to ask these questions byproviding the operator or recipient of the call with prompts. To thisend, the monitoring component 230 may segment or identify one or moresegments of a communication based on these prompts. For example, themonitoring component 230 may provide an operator or representative withone or more prompts which direct the representative to make statements,ask questions, ask stress questions, etc. As a result, an operator mayask for security information from an individual prior to asking theindividual for their objectives. However, in other embodiments, themonitoring component 230 may direct the operator or representative toorder one or more segments of the communication according to most anyorder. Accordingly, the monitoring component 230 may structure thecommunication or one or more segments of the communication based on apredetermined pattern or a random pattern. Regardless, the monitoringcomponent 230 may thus receive or record voice signals or audio of aconversation, communication, or one or more portions or segmentsthereof.

Accordingly, the system 200 of FIG. 2 may provide fraud detection orenhanced fraud detection by utilizing voice biometrics, pathwaydetection, voice stress analysis, etc. in a manner such that one or moreof the foregoing may be utilized to cross-reference, strengthen,enhance, or sharpen one or more of the others. In this way, a broadrange of fraud detection may be achieved and fraudulent activity,potential fraudulent activity, fraudsters, perpetrators, fraudsignatures, etc. may be detected (e.g., an mitigating action may betaken) among a group or plurality of communications, calls, telephonecalls, phone calls, telecommunications, etc. By providing such frauddetection, operators, representatives, or customer servicerepresentatives may receive notifications which facilitateidentification of fraudulent communications among one or morecommunications, a plurality of communications, or a mass of incomingcalls, etc.

In one or more embodiments, the detection component 240 may be utilizedby the system 200 to determine a pathway, communication pathway, fraudpathway, phone print, or one or more characteristics or attributesassociated with a communication. For example, an attribute orcharacteristic of one or more of the characteristics associated with acommunication may be indicative of a technology associated with thecommunication or a technology utilized to initiate the communication(e.g., whether a communication was placed over a telecommunicationschannel, a phone line, a voice over internet protocol or VoIP channel,etc.).

The detection component 240 may trace a technology or a route associatedwith a communication. In other words, the detection component 240 maydetermine the technology utilized to initiate the communication or aroute associated with voice data or data transmission (e.g., a cellularnetwork or cell tower, satellite transmission, trans-ocean cable, etc.).Additionally, the detection component 240 may determine whether one ormore characteristics of a communication are being spoofed, associatedwith fraudulent activity or potential fraudulent activity. For example,one or more characteristics of a communication may include an originlocation associated with the communication, a type of device utilized toinitiate the communication, a communication channel, etc. The detectioncomponent 240 may determine whether a communication originates from amobile device, cellular phone, landline, utilizes satellites, atelecommunications cable, etc.

Additionally, the detection component 240 may determine or detect one ormore artifacts associated with the communication or noise associatedwith the communication. In one or more embodiments, the detectioncomponent 240 may sample one or more portions of a communication whichis associated with no voice signals (e.g., when no individuals aretalking or speaking or “silence” as to one or more of the individuals).The detection component 240 may identify one or more artifacts duringthese portions of the communication and determine one or morecharacteristics associated with the communication pathway (e.g., a callpathway) based on one or more of the artifacts during a period of“silence”. An artifact may include one or more characteristicsassociated with a communication, such as noise, background noise,ambient noise, ambient sounds, static, or other background audio.

In some scenarios, noise or artifacts may be introduced intentionally byan individual, a party, or an entity to facilitate deception.Perpetrators or fraudsters may introduce noise purposely orintentionally in an attempt to defeat voice biometrics or voiceprinting. In other scenarios, noise may be inadvertently introduced,such as when the noise is introduced as a result of the channel orpathway being utilized for communication. For example, communications orcalls placed over a voice over internet protocol (VoIP) service mayoften include undesirable noise or artifacts. To this end, the detectioncomponent 240 may identify or utilize one or more of these artifacts todetermine an origin or pathway associated with the communicationinitiated via the VoIP service or channel.

The detection component 240 may compare one or more characteristicsassociated with the communication with one or more sets ofcharacteristics in a pathway library (e.g. of the database component220). In other words, the detection component 240 may scan a pathwaylibrary of the database component 220 to determine if a communication isassociated with a fraud pathway or known fraud pathway matched to thepathway library. To this end, the detection component 240 may generate apathway match determination. The pathway match determination may begenerated based on a match between one or more of the characteristics ofthe communication and one or more of the sets of characteristics in thepathway library. The pathway library or pathway database may include oneor more sets of characteristics deemed to be indicative of a fraudulentpathway. For example, if a fraudster has called in previously using aVoIP channel which is identified as an instrument which facilitatedfraudulent action on the fraudster's behalf, traits or characteristicsassociated with that VoIP channel may be stored or recorded in thepathway library for future reference. Accordingly, heightened scrutiny,a notification, or an alert may be provided if the same VoIP channel islater utilized and/or an individual is requesting activity which couldpotentially facilitate fraud (e.g., authorization of card or account usein a foreign location or an unusual location, etc.).

In one or more embodiments, the analysis component 250 may be utilizedto implement voice stress analysis (VSA) to a communication which occursover a telecommunications channel, such as a phone line, over a mobiledevice, a voice over internet protocol (VoIP) channel. Generally, theanalysis component 250 may apply the VSA to a communication orconversation where the communication is between an individual calling in(e.g., a caller) and an individual receiving the call (e.g., a callrecipient). However, it will be appreciated that the analysis component250 may implement VSA in scenarios where the individual or caller is theonly participant on the line, such as when VSA is implemented in aninteractive voice response (IVR) system. Regardless, it will beappreciated that VSA or stress analysis may be implemented in scenarioswhere the VSA or stress analysis is being applied to a telecommunicationor communication, such as a telephone call, rather than in a face toface environment.

Returning to the scenario where a caller or an individual is calling andan operator or representative responds (e.g., individual-representative,individual-operator, or caller-recipient scenario), VSA may be appliedby the analysis component 250 via an interviewer-interviewee format. Forexample, the analysis component 250 or the monitoring component 230 mayprompt an operator or representative to ask one or more securityquestions or guide the operator. It will be appreciated that anindividual or caller may potentially be an account owner or authorizeduser who should be granted access to a corresponding account or afraudster, perpetrator, impersonator, etc., who should not be grantedaccess. To this end the analysis component 250 may implement or utilizeVSA in a call center application or a customer service center, etc. Forexample, the recipient of a call or communication may be an employee, abank employee, a customer service representative (CSR), agent of afinancial institution, etc. In this way, the analysis component 250 mayutilize VSA in a banking context or for fraud detection in a financialenvironment.

The analysis component 250 may analyze one or more responses to one ormore security questions or one or more stress questions. These responsesmay be associated with different segments of a communication, such as anintroduction segment, a conversation segment, a verification segment, ora summary segment. Additionally, the responses may include voice signalsfrom one or more individuals (e.g., individuals of interest associatedwith an unknown identity). For example, although a communication or oneor more segments of a communication may include voice signals associatedwith an operator or a representative, voice signals associated with anindividual may be of interest.

The analysis component 250 may analyze one or more frequency responsesbased on voice stress analysis by determining and/or comparing frequencyresponses of one or more segments of a communication. Generally, VSAincludes a series of one or more baseline questions and a series of oneor more ‘test’ questions, ‘stress’ questions, or security questions.Baseline questions are questions which an individual is not expected tolie about (e.g., what is your name, what is your address, etc.). The‘test’ questions are questions where an individual has a possibility orlikelihood of lying when responding to the question.

Because voice quality or frequency may change or be affected when anindividual is under stress or pressure (e.g., engaging in fraudulentactivity), the analysis component 250 may detect tensing of vocal cordsof an individual by measuring the response or frequency responseassociated with different portions or segments of a conversation or acommunication. The analysis component 250 may determine one or morefrequency responses for one or more corresponding segments of acommunication (e.g., provide an average frequency response, highs, lows,etc. for respective segments) or for one or more voice signals of thecommunications.

The analysis component 250 may facilitate determining whether a responsefrom an individual (e.g., response to a security question) falls withinan acceptable range of frequencies (e.g., exceeds a frequency thresholdor within a frequency range). In other words, the analysis component 250may measure psychophysiological stress responses of an individuals to astimulus (e.g., test question, security question, verification ofidentity, etc.). In one or more embodiments, the analysis component 250may analyze one or more portions of a communication or a call bysegment. For example, the analysis component 250 may determine one ormore expected frequency responses for a salutation segment, averification segment, a conversation segment, a summary segment, othersegments or portions of a communication or call.

In this way, the analysis component 250 may analyze a voice or voicesignal of an individual or entity to identify deception within aconversation, such as a phone conversation, for example. The analysiscomponent 250 may analyze a voice signal from a communication orconversation and determine one or more frequencies or frequencyresponses associated with the voice signal. For example, a frequencyassociated with a voice signal may be indicative of the frequency atwhich vocal chords of an individual vibrate. To this end, the analysiscomponent 250 may estimate stress of a caller, entity, or individual byanalyzing a vibration rate associated with vocal cords of theindividual.

In one or more embodiments, the analysis component 250 may analyze oneor more frequency responses for one or more segments of a communication.Further, the analysis component 250 may generate a frequencydetermination based on the analysis of one or more of the frequencyresponses. The frequency determination may be generated based on acomparison between one or more of the frequency responses and afrequency threshold. As an example, the analysis component 250 mayanalyze one or more segments of a communication and compare one or moresegments against one or more expected frequency responses. For example,little or no stress is generally expected during an introduction segmentof a communication. If the analysis component 250 notes high frequencyresponse greater than a frequency threshold associated with a ‘normal’or baseline response, then a corresponding frequency determination maybe generated by the analysis component 250.

Similarly, if a verification segment of a communication is recorded anda frequency response greater than a frequency response threshold isnoted by the analysis component 250, a frequency determination may begenerated which indicates that an abnormal response was received, suchas during the security questions. In one or more embodiments, thisscenario (e.g., a frequency response outside of an acceptable rangeduring a verification segment) may be considered more significant orweighted more heavily than a frequency response which is outside of anacceptable range for an introduction segment of a communication.

In other embodiments, the analysis component 250 may compare two or morefrequency responses for two or more segments of the communication. Forexample, if a delta or difference between two or more of the frequencyresponses is greater than a delta frequency response threshold, theanalysis component 250 may generate a frequency determination whichindicate that the individual may be engaging in fraudulent activity. Inother words, the analysis component 250 may compare two or more of thefrequency responses based on a delta frequency threshold. Stated yetanother way, the analysis component 250 may generate the frequencydetermination based on a comparison between one or more of the frequencyresponses of one or more of the segments of the communication and one ormore other frequency responses of one or more other segments of thecommunication. For example, the analysis component 250 may utilize oneor more of the voice signals of an individual from the salutationsegment, summary segment, or conversation segment as a baseline forgenerating the frequency determination and compare the baseline withfrequencies from the verification segment of the communication.

In one or more embodiments, the analysis component 250 may compare oneor more measured frequencies (e.g., associated with different portionsof a conversation or a communication) with one or more expectedfrequencies or expected frequency responses (e.g., assigned by themonitoring component 230 or from a frequency library of the databasecomponent 220). In other words, the analysis component 240 may scan afrequency library of the database component 220 to determine if anindividual on a communication is speaking according to a range providedby the frequency library. In other embodiments, the analysis component250 may identify a caller or individual as a potential fraudster whenone or more portions or segments of a communication or conversation havefrequencies which exceed a frequency threshold, for example. Theanalysis component 250 may analyze one or more portions or segments of acommunication and generate a histogram of frequencies, a frequencydelta, or a stress to non-stress ratio for one or more of the segmentsor across the communication, etc. To this end, the analysis component250 may detect or analyze communications and identify communications(e.g., or portions or segments thereof) associated with a stress tonon-stress segment ratio which exceeds a pre-determined threshold.

The analysis component 250 may assign a segment of a conversation orcommunication which is associated with a request, a desire, a goal, adesired action, etc. as a baseline. In one or more embodiments, theanalysis component 250 may utilize the conversation segment of acommunication as a baseline. In other words, the analysis component 250may utilize frequency responses associated with the conversation segmentof a communication as an indicator of when a speaker or individual isnot stressed, not lying, speaking at a lower range of frequencies, orotherwise at a normal stress level, baseline stress level, etc. In theseconversation segments, it may be presumed or assumed that that thecaller or individual is conversing or making statements with regards totheir goals or what they desire to achieve. Because of this, theconversation segment may be associated with a normal, near normal,substantially normal, baseline level of stress, frequency response, etc.

Conversely, for the verification segment of a communication, theanalysis component 250 may utilize corresponding frequency responses assegments to compare against baseline readings. In other words, theverification segment of a communication may be utilized as a test, bydetermining whether a frequency response associated with theverification segment has a higher frequency than the conversationsegment. Here, during the verification segment of a communication, ahigher stress level or frequency response may be expected. Because afraudster is answering questions or test questions as if they were anaccount owner or authorized user, a higher frequency response may beexpected (e.g., due to the risk of being detected, the thrill ofsuccess, an internal mental process associated with answering questionsunder an “assumed identity”, speaking a language which is not theirbirth language, etc.). Based on the frequency, the analysis component250 may calculate a stress level for one or more segments of acommunication or intervene or take action based on the stress level.

In one or more embodiments, the analysis component 250 may identify acaller or an individual as legitimate even if one or more portions of acommunication are associated with frequencies which exceed a frequencythreshold based on one or more characteristics associated with theindividual or one or more characteristics associated with a segment of acommunication. For example, if an account owner (who has previouslycalled in repeatedly) often speaks with a high frequency, his or heraccount may be tagged or identified such that a higher frequency or afrequency range is to be expected when the account owner calls in. Here,a frequency library (e.g., of a database component 220) may be updatedto indicate a range of frequencies at which an account owner generallyspeaks.

As another example, if a ‘test’ question or security question oftentriggers account owners to exhibit higher frequency responses than othersecurity questions, that ‘test question’ or security question may beassociated with a higher threshold or tolerance, for example. To thisend, different questions may be associated with different expectedfrequencies or expected frequency responses. In other words, one or moresegments associated with a high frequency response (e.g., above afrequency threshold or outside of a frequency range) of multiplesegments or a plurality of segments may not necessarily be indicative ofa fraudster. The analysis component 250 may utilize context informationto facilitate determining whether or not a response or a voice signal ispotentially fraudulent or associated with potential fraudulent activity.In yet another example, an account owner may submit a voice sample forpositive identification to verify his or her identity when individualsclaiming to be the account owner call in.

The analysis component 250 may determine risks associated with atransaction or a request (e.g., address change, money transfer, etc.)and determine thresholds or tolerances for VSA according to or based onone or more of the risks. In one or more embodiments, the analysiscomponent 250 may order one or more security questions or ‘test’questions such that a security question, stress question, or ‘test’question is asked first or before a baseline question, conversationalquestion, goal, desires, etc. For example, a communication may bestructured such that a verification segment may occur prior to aconversation segment. In other words, the analysis component enablesimplementation of VSA such that a structured format for the questioningis not required. For example, test questions and baseline questions maybe asked in most any order. A caller or individual may provide acommunication or statement without a prompt from a representative, suchas at the beginning of a call, for example.

Additionally, the analysis component 250 may be utilized to check forfalse positives related to other aspects of the system 200. For example,it may not be possible to rely merely on voice biometrics (e.g., themonitoring component 230) or merely on pathway detection (e.g., thedetection component 240) because a large amount of spoofing occurs. Thespoofing may be intentional or it may be unintentional. For example,when an individual calls in from a voice over internet protocol (VoIP)platform, degradation of the quality of the communication may occur,thereby causing call quality issues, volume issues, etc. To this end,when audio is impacted (e.g., due to connectivity issues), a higheroccurrence false positives may arise. Because issues which impact voicebiometrics may not have as large an impact on voice stress, VSA may beutilized to cross reference results of the voice biometrics. Forexample, the vibration rate associated with a voice signature or voicesignature generally does not change as call quality varies. Accordingly,the analysis component 250 may provide a level of confidence as towhether or not a caller or individual is a fraudster.

In one or more embodiments, the database component 220. The databasecomponent may include one or more libraries. For example, the databasecomponent 220 may include a voice library, a pathway library, and afrequency library. The voice library (e.g., fraud voice library or voiceprint database) may include voice samples, voice signals, audiosignatures, etc. of individuals deemed to be fraudsters, impersonators,or perpetrators. This enables a comparison to be made between a voicesignal of an inbound caller or inbound communication and voice samplesof one or more of the known fraudsters. When a match is found, actionsmay be taken to mitigate loss or an account takeover, for example.

In one or more embodiments, the voice library or voice print databasemay include voice signals for one or more owners or authorized users forone or more corresponding accounts. In other words, the voice printlibrary may include voice signals or voice prints which may be utilizedfor positive identification of an individual when that individual is incommunication with a call center. For example, a voice print of a voicesignal of an owner or authorized user of an account may be made orrecorded when the account is opened or when an account owner is presentin person, etc. In this way, the voice signal or voice print associatedwith the account may be a voice known to be associated with the accountowner, thereby enabling the voice print to be utilized for positiveidentification use. Such identification may be applied live or torecorded calls. It will be appreciated that other components, such asthe monitoring component 230, may isolate one or more of the voicesignals for a live communication or a recorded communication.

The database component 220 may include a pathway library or pathwaydatabase which stores one or more known fraud pathways or sets ofcharacteristics associated with pathways which are deemed to beassociated with fraudulent activity. In other words, a pathway librarymay include one or more sets of characteristics deemed to be associatedwith fraudulent communication.

Additionally, the database component 220 may include a frequencylibrary. The frequency library may include characteristics associatedwith account owners. For example, the frequency library may be utilizedto compile patterns associated with account owners (e.g., an accountowners generally calls in from a same or similar call pathway, has avoice signal associated with a frequency range, calls in at a particulartime, etc.). In this way, a database of people who call in per accountmay be built and comparisons may be made accordingly. It will beappreciated the one or more of the libraries may be modified or updatedbased on input, a result, or a determination generated based on one ormore of the other libraries. In other words, when fraud occurs, anassociated voice signal may be recorded to a voice library, attributesor characteristics stored for a communication pathway to a pathwaylibrary. To this end most any data associated with activity deemedfraudulent may be captures or loaded back into an appropriate orcorresponding library. In this way, one of the libraries may be utilizedto sharpen or enhance the other two.

In one or more embodiments, the fraud component 260 may identifypotential fraudulent activity or types of fraudulent activity andprovide one or more notifications to one or more parties when potentialfraudulent activity is detected. In one or more embodiments, the fraudcomponent 260 may select or determine one or more responses to thepotential fraudulent activity (e.g., open an investigation, notify oneor more parties, entities, individuals, etc.). Potential fraudulentactivity may be mitigated by intervening, providing one or morenotifications to one or more parties when potential fraudulent activityis identified, etc. Fraudulent activity or potential fraudulent activitymay be identified by the fraud component 260 based on one or moredeterminations, such as the voice match determination, the pathway matchdetermination, or the frequency determination. It will be appreciatedthat intervening activity may be conducted live or after the fact, suchas when analysis is applied to a recorded communication or after a callhas come to a natural conclusion.

In one or more embodiments, fraudulent activity may be found ordetermined based on a comparison between a voice signal and a voiceprint database (e.g., to detect when individuals deemed to be fraudstersin communication), spoof detection, pathway detection, a comparisonbetween a communication pathway and a pathway library or pathwaydatabase (e.g., to detect when communications are originating from aknown fraud pathway), voice stress analysis (VSA), stress segment tonon-stress segment ratio (e.g., for one or more portions or segments ofa communication). The fraud component 260 may compare voice signals orvoice signatures received from the monitoring component against voicesamples or voice signatures from the database component 220.

The fraud component 250 may determine fraudulent activity based on oneor more determinations (e.g., the voice match determination, the pathwaymatch determination, or the frequency determination). For example, thefraud component 260 may deem activity associated with an account to befraudulent based on a comparison between one or more of the voicesignals and one or more of the voice samples of the voice library. Thefraud component 260 may also deem activity associated with the accountto be fraudulent based on a comparison between one or more of thecharacteristics associated with the communication and one or more setsof the characteristics of the pathway library. In one or moreembodiments, the fraud component 260 may deem activity to be fraudulentbased on VSA performed by the analysis component 250 where a voicesignal exceeds a frequency response threshold or frequency range.

The fraud component 260 may update one or more libraries of the databasecomponent 220. For example, the fraud component 260 may update the voicelibrary or the pathway library based on activity deemed to be fraudulentassociated with the account. It will be appreciated the one or more ofthe libraries may be utilized to sharpen, enhance, or cross referencethe other libraries. The activity deemed to be fraudulent for theaccount may be determined at a time after the communication hasoccurred. In some scenarios, the activity deemed to be fraudulent may bediscovered, marked, or tagged manually.

To this end the fraud component 260 may update a frequency library withone or more of the frequency responses associated with the individual,update the voice library with one or more of the voice signals based ona match between one or more of the characteristics associated with thecommunication and one or more sets of the characteristics of the pathwaylibrary, update the voice library with one or more of the voice signalsbased on one or more frequency responses of one or more of the voicesignals of the communication, update the pathway library with one ormore characteristics of the communication based on a match between oneor more of the voice signals and one or more of the voice samples of thevoice library, or update the pathway library with one or morecharacteristics of the communication based on one or more frequencyresponses of one or more of the voice signals of the communication.

As an example, when potential or actual fraudulent activity is detected,the fraud component 260 may identify one or more signatures associatedwith the potential or actual fraudulent activity and update the databasecomponent accordingly. For example, if the analysis component 250detects that an individual is responding in a manner which is notconsistent with characteristics of a legitimate individual, legitimatecaller, or legitimate account owner, the fraud component 260 may recordone or more portions of the conversation and store them with thedatabase component 220 for future reference. This way, if the sameindividual initiates additional communication with a call center orother aspect of an institution, voice biometrics, a voice print or voicecomparison may be conducted to identify the individual as a knownfraudster or known perpetrator.

In one or more embodiments, the database 220 or associated libraries maybe updated after an extended period of time has passed. For example, tofacilitate maintenance of one or more of the databases or libraries,when fraud is detected, an investigation may be opened to determinewhether or not one or more communications on the record exist. In thisway, old or previously recorded voice signals, communications, calls,etc. may be analyzed even when no potential fraud is detected at thetime of the communication, for example.

In one or more embodiments, the system 200 of FIG. 2 may analyze one ormore segments of a communication for stress where little or no stressshould occur or be expected. Additionally, the fraud component 260 mayidentify potential fraudulent activity by weighing the voice matchdetermination heavier than the frequency determination. The fraudcomponent 260 may identify potential fraudulent activity by consideringthe voice match determination prior to considering the frequencydetermination as well.

It will be appreciated that one or more the systems or techniques, suchas VSA, communication pathways, or voice prints may be applied to livecommunication or recorded communication. For example, VSA may be appliedto inbound communications or phone calls to a bank or a call center. Inone or more embodiments, one or more aspects may be implemented in aninteractive voice response (IVR) system. Here, a communication mayinclude one or more segments having one or more voice signals associatedwith merely one individual. A communication may implemented or may occurover a voice over internet protocol (VoIP) channel. For example, arecorded communication may be a telecommunication in which theindividual is a participant. The analysis component 250 may executevoice stress analysis live during a communication or at a later time fora recorded communication. If voice biometrics matches a voice signal toa known fraud voice print, VSA may not be utilized by the analysiscomponent 250. VSA may be utilized when a communication is associatedwith a VoIP channel or when a new or unknown voice print is detected orwhen an unknown voice signature and a new or unknown communicationpathway.

FIG. 3 is an illustration of an example flow diagram of a method 300 forfraud detection, according to one or more embodiments. At 302, acommunication may be received or recorded. At 304, one or more segmentsof the communication may be identified or tagged. At 306, one or morefrequency responses may be determined for one or more segments of thecommunication. At 306, one or more frequency responses may be analyzedfor one or more segments of the communication (e.g., by comparing two ormore frequency responses for two or more segments of a communication orby comparing a frequency response of a segment with a threshold orrange).

FIG. 4 is an illustration of an example flow diagram of a method 400 forfraud detection, according to one or more embodiments. At 402, one ormore libraries are built. At 404, one or more segments of acommunication are identified. At 406, one or more voice signals may beisolated from a communication. At 408, one or more voice signals may becompared against a voice library to generate a voice matchdetermination. At 410, one or more characteristics associated with acommunication may be determined. At 412, one or more of thecharacteristics may be compared against characteristics from a pathwaylibrary to generate a pathway match determination. At 414, one or morefrequency responses may be analyzed to generate a frequencydetermination. At 416, potential fraudulent activity may be identifiedbased on one or more of the determinations.

FIG. 5 is an illustration of an example flow diagram of a method 500 forfraud detection, according to one or more embodiments. One or morelibraries may be generated or stored at 502. A communication may bereceived and frequency responses determined at 504. One or morecharacteristics associated with the communication may be determined at506. At 508, one or more libraries may be updated based on one or moreof the frequency responses (e.g., VSA) or characteristics (e.g. pathwaycharacteristics).

FIG. 6 is an illustration of an example flow diagram of a method 600 forfraud detection, according to one or more embodiments. At 610, aninbound call may be received. At 620, pathway fraud detection may beemployed (e.g., characteristics compared against a pathway library). At630, voice signals may be compared against a voice library. At 640, VSAmay be implemented. At 650, the risk of deception may be analyzed. Iffraud is detected at 620, 630, 640, or 650, an alert 670 may be sent andone or more libraries 680 updated. If no fraud is detected, the call mayproceed 660.

Still another embodiment involves a computer-readable medium includingprocessor-executable instructions configured to implement one or moreembodiments of the techniques presented herein. An embodiment of acomputer-readable medium or a computer-readable device devised in theseways is illustrated in FIG. 7, wherein an implementation 700 includes acomputer-readable medium 708, such as a CD-R, DVD-R, flash drive, aplatter of a hard disk drive, etc., on which is encodedcomputer-readable data 706. This computer-readable data 706, such asbinary data including a plurality of zero's and one's as shown in 706,in turn includes a set of computer instructions 704 configured tooperate according to one or more of the principles set forth herein. Inone such embodiment 700, the processor-executable computer instructions704 are configured to perform a method 702, such as the method 300 ofFIG. 3, the method 400 of FIG. 4, etc. In another embodiment, theprocessor-executable instructions 704 are configured to implement asystem, such as the system 200 of FIG. 2. Many such computer-readablemedia are devised by those of ordinary skill in the art that areconfigured to operate in accordance with the techniques presentedherein.

As used in this application, the terms “component”, “module,” “system”,“interface”, and the like are generally intended to refer to acomputer-related entity, either hardware, a combination of hardware andsoftware, software, or software in execution. For example, a componentmay be, but is not limited to being, a process running on a processor, aprocessor, an object, an executable, a thread of execution, a program,or a computer. By way of illustration, both an application running on acontroller and the controller may be a component. One or more componentsresiding within a process or thread of execution and a component may belocalized on one computer or distributed between two or more computers.

Further, the claimed subject matter is implemented as a method,apparatus, or article of manufacture using standard programming orengineering techniques to produce software, firmware, hardware, or anycombination thereof to control a computer to implement the disclosedsubject matter. The term “article of manufacture” as used herein isintended to encompass a computer program accessible from anycomputer-readable device, carrier, or media. Of course, manymodifications may be made to this configuration without departing fromthe scope or spirit of the claimed subject matter.

FIG. 8 and the following discussion provide a description of a suitablecomputing environment to implement embodiments of one or more of theprovisions set forth herein. The operating environment of FIG. 8 ismerely one example of a suitable operating environment and is notintended to suggest any limitation as to the scope of use orfunctionality of the operating environment. Example computing devicesinclude, but are not limited to, personal computers, server computers,hand-held or laptop devices, mobile devices, such as mobile phones,Personal Digital Assistants (PDAs), media players, and the like,multiprocessor systems, consumer electronics, mini computers, mainframecomputers, distributed computing environments that include any of theabove systems or devices, etc.

Generally, embodiments are described in the general context of “computerreadable instructions” being executed by one or more computing devices.Computer readable instructions may be distributed via computer readablemedia as will be discussed below. Computer readable instructions may beimplemented as program modules, such as functions, objects, ApplicationProgramming Interfaces (APIs), data structures, and the like, thatperform one or more tasks or implement one or more abstract data types.Typically, the functionality of the computer readable instructions arecombined or distributed as desired in various environments.

FIG. 8 illustrates a system 800 including a computing device 812configured to implement one or more embodiments provided herein. In oneconfiguration, computing device 812 includes at least one processingunit 816 and memory 818. Depending on the exact configuration and typeof computing device, memory 818 may be volatile, such as RAM,non-volatile, such as ROM, flash memory, etc., or a combination of thetwo. This configuration is illustrated in FIG. 8 by dashed line 814.

In other embodiments, device 812 includes additional features orfunctionality. For example, device 812 may include additional storagesuch as removable storage or non-removable storage, including, but notlimited to, magnetic storage, optical storage, etc. Such additionalstorage is illustrated in FIG. 8 by storage 820. In one or moreembodiments, computer readable instructions to implement one or moreembodiments provided herein are in storage 820. Storage 820 may storeother computer readable instructions to implement an operating system,an application program, etc. Computer readable instructions may beloaded in memory 818 for execution by processing unit 816, for example.

The term “computer readable media” as used herein includes computerstorage media. Computer storage media includes volatile and nonvolatile,removable and non-removable media implemented in any method ortechnology for storage of information such as computer readableinstructions or other data. Memory 818 and storage 820 are examples ofcomputer storage media. Computer storage media includes, but is notlimited to, RAM, ROM, EEPROM, flash memory or other memory technology,CD-ROM, Digital Versatile Disks (DVDs) or other optical storage,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other medium which may be used to storethe desired information and which may be accessed by device 812. Anysuch computer storage media is part of device 812.

The term “computer readable media” includes communication media.Communication media typically embodies computer readable instructions orother data in a “modulated data signal” such as a carrier wave or othertransport mechanism and includes any information delivery media. Theterm “modulated data signal” includes a signal that has one or more ofits characteristics set or changed in such a manner as to encodeinformation in the signal.

Device 812 includes input device(s) 824 such as keyboard, mouse, pen,voice input device, touch input device, infrared cameras, video inputdevices, or any other input device. Output device(s) 822 such as one ormore displays, speakers, printers, or any other output device may beincluded with device 812. Input device(s) 824 and output device(s) 822may be connected to device 812 via a wired connection, wirelessconnection, or any combination thereof. In one or more embodiments, aninput device or an output device from another computing device may beused as input device(s) 824 or output device(s) 822 for computing device812. Device 812 may include communication connection(s) 826 tofacilitate communications with one or more other devices.

According to one or more aspects, system for fraud detection isprovided, including a monitoring component recording a communication,wherein the communication includes one or more segments of one or morevoice signals associated with an individual and identifying one or moreof the segments of the communication. The system may include an analysiscomponent determining one or more frequency responses for one or more ofthe corresponding segments of the communication and analyzing one ormore of the frequency responses for one or more of the segments of thecommunication.

In one or more embodiments, the communication includes a salutationsegment, a verification segment, a conversation segment, or a summarysegment. The salutation segment may include an introduction, a customarygreeting, or identification. The verification segment may include one ormore security questions, one or more test questions, or one or morestress questions. The conversation segment may include one or morerequests associated with an account. The communication may beimplemented across a voice over internet protocol (VoIP) channel. In oneor more embodiments, analysis component may compare two or more of thefrequency responses for two or more of the segments of thecommunication. The analysis component may compare two or more of thefrequency responses based on a delta frequency threshold. The analysiscomponent may analyze one or more of the frequency responses based onvoice stress analysis (VSA). The communication may include one or moresegments of one or more additional voice signals associated with asecond individual (e.g., a representative).

According to one or more aspects, a method for fraud detection isprovided, including recording a communication, wherein the communicationincludes one or more segments having one or more voice signalsassociated with an individual, identifying one or more of the segmentsof the communication, determining one or more frequency responses forone or more of the corresponding segments of the communication, andanalyzing one or more of the frequency responses for one or more of thesegments of the communication.

In one or more embodiments, the method may include comparing two or moreof the frequency responses for two or more of the segments of thecommunication. The method may include comparing two or more of thefrequency responses is based on a delta frequency threshold, analyzingone or more of the frequency responses based on voice stress analysis(VSA). The communication may include one or more segments of one or moreadditional voice signals associated with a second individual. Thecommunication may be a recorded communication or a telecommunication inwhich the individual is a participant.

According to one or more aspects, system for fraud detection isprovided, including a database component including a voice libraryincluding one or more voice samples of individuals deemed to befraudsters. The system may include a monitoring component identifyingone or more segments of a communication as a salutation segment, averification segment, a conversation segment, or a summary segment. Themonitoring component may isolate one or more voice signals from one ormore of the segments of the communication. The monitoring component maycompare one or more of the voice signals from one or more of thesegments of the communication with one or more of the voice samples ofthe voice library to generate a voice match determination. The systemmay include an analysis component analyzing one or more frequencyresponses of one or more of the voice signals from one or more of thesegments of the communication to generate a frequency determination. Thesystem may include a fraud component identifying potential fraudulentactivity based on the voice match determination or the frequencydetermination.

In one or more embodiments, the fraud component identifies potentialfraudulent activity by weighing the voice match determination heavierthan the frequency determination. The fraud component may identifypotential fraudulent activity by considering the voice matchdetermination prior to considering the frequency determination. Themonitoring component may filter noise from one or more of the segmentsof the communication. The analysis component may generate the frequencydetermination based on a comparison between one or more of the frequencyresponses and a frequency threshold. The analysis component may generatethe frequency determination based on a comparison between one or more ofthe frequency responses of one or more of the segments of thecommunication and one or more other frequency responses of one or moreother segments of the communication.

In one or more embodiments, the fraud component provides one or morenotifications to one or more parties when potential fraudulent activityis identified. The monitoring component may isolate one or more of thevoice signals for a live communication or a recorded communication. Oneor more of the voice signals may be from an individual. One or more ofthe voice signals or other voice signals may be from a representative ofa call center.

According to one or more aspects, system for fraud detection isprovided, including a database component which includes a pathwaylibrary including one or more sets of characteristics deemed to beassociated with fraudulent communication. The system may include amonitoring component identifying one or more segments of a communicationas a salutation segment, a verification segment, a conversation segment,or a summary segment. The monitoring component may isolate one or morevoice signals from one or more of the segments of the communication. Thesystem may include a detection component determining one or morecharacteristics associated with the communication. The detectioncomponent may compare one or more of the characteristics associated withthe communication with one or more of the sets of characteristics of thepathway library to generate a pathway match determination. The systemmay include an analysis component analyzing one or more frequencyresponses of one or more of the voice signals from one or more of thesegments of the communication to generate a frequency determination. Thesystem may include a fraud component identifying potential fraudulentactivity based on the pathway match determination or the frequencydetermination.

In one or more embodiments, one or more of the characteristicsassociated with the communication may be indicative of a technologyassociated with the communication, one or more artifacts associated withthe communication, or noise associated with the communication. Thecommunication may occur over a voice over internet protocol (VoIP)channel or a telecommunications channel. The analysis component mayutilize one or more of the voice signals from the salutation segment orconversation segment as a baseline for generating the frequencydetermination.

According to one or more aspects, a system for fraud detection isprovided, including a database component, a monitoring component, adetection component, an analysis component, and a fraud component. Thedatabase component may include a voice library including one or morevoice samples of individuals deemed to be fraudsters. The databasecomponent may include a pathway library including one or more sets ofcharacteristics deemed to be associated with fraudulent communication.The monitoring component may identify one or more segments of acommunication as a salutation segment, a verification segment, aconversation segment, or a summary segment. The monitoring component mayisolate one or more voice signals from one or more of the segments ofthe communication. The monitoring component may compare one or more ofthe voice signals from one or more of the segments of the communicationwith one or more of the voice samples of the voice library to generate avoice match determination. The detection component may determine one ormore characteristics associated with the communication. The detectioncomponent may compare one or more of the characteristics associated withthe communication with one or more of the sets of characteristics of thepathway library to generate a pathway match determination. The analysiscomponent may analyze one or more frequency responses of one or more ofthe voice signals from one or more of the segments of the communicationto generate a frequency determination. The fraud component may identifypotential fraudulent activity based on the voice match determination,the pathway match determination, or the frequency determination.

In one or more embodiments, the fraud component may identify potentialfraudulent activity by weighing the voice match determination heavierthan the frequency determination or by considering the voice matchdetermination prior to considering the frequency determination. Themonitoring component may filter noise from one or more segments of thecommunication.

According to one or more aspects, system for fraud detection isprovided, including a database component, a monitoring component, adetection component, and a fraud component. The database component mayinclude a voice library including one or more voice samples ofindividuals deemed to be fraudsters. The database component may includea pathway library including one or more sets of characteristics deemedto be associated with fraudulent communication. The monitoring componentmay receive a communication, wherein the communication includes one ormore voice signals of an individual making one or more requestsassociated with an account. The detection component may determine one ormore characteristics associated with the communication. The fraudcomponent may update the voice library or the pathway library based onactivity deemed to be fraudulent associated with the account.

In one or more embodiments, the system includes an analysis componentdetermining one or more frequency responses of one or more of the voicesignals of the communication. The fraud component may update a frequencylibrary with one or more of the frequency responses associated with theindividual. The fraud component may deem activity associated with theaccount to be fraudulent based on a comparison between one or more ofthe voice signals and one or more of the voice samples of the voicelibrary. The fraud component may deem activity associated with theaccount to be fraudulent based on a comparison between one or more ofthe characteristics associated with the communication and one or moresets of the characteristics of the pathway library. In one or moreembodiments, the activity deemed to be fraudulent for the account may bedetermined at a time after the communication has occurred. For example,the activity deemed to be fraudulent may be discovered manually.

According to one or more aspects, a method for fraud detection isprovided, including storing a voice library including one or more voicesamples of individuals deemed to be fraudsters, storing a pathwaylibrary including one or more sets of characteristics deemed to beassociated with fraudulent communication, receiving a communication,wherein the communication includes one or more voice signals of anindividual making one or more requests associated with an account,determining one or more characteristics associated with thecommunication, or updating the voice library or the pathway librarybased on activity deemed to be fraudulent associated with the account.

The method may include determining one or more frequency responses ofone or more of the voice signals of the communication, updating afrequency library with one or more of the frequency responses associatedwith the individual, deeming activity associated with the account to befraudulent based on a match between one or more of the voice signals andone or more of the voice samples of the voice library, or deemingactivity associated with the account to be fraudulent based on a matchbetween one or more of the characteristics associated with thecommunication and one or more sets of the characteristics of the pathwaylibrary.

According to one or more aspects, a system for fraud detection isprovided, including database component, a monitoring component, adetection component, and a fraud component. The database component mayinclude a voice library including one or more voice samples ofindividuals deemed to be fraudsters and a pathway library including oneor more sets of characteristics deemed to be associated with fraudulentcommunication. The monitoring component may receive a communication,wherein the communication includes one or more voice signals of anindividual making one or more requests associated with an account,wherein the communication is recorded. The detection component maydetermine one or more characteristics associated with the communication.The fraud component may update the voice library or the pathway librarybased on activity deemed to be fraudulent associated with the account.

The fraud component may update the voice library with one or more of thevoice signals based on a match between one or more of thecharacteristics associated with the communication and one or more setsof the characteristics of the pathway library, update the voice librarywith one or more of the voice signals based on one or more frequencyresponses of one or more of the voice signals of the communication,update the pathway library with one or more characteristics of thecommunication based on a match between one or more of the voice signalsand one or more of the voice samples of the voice library, or update thepathway library with one or more characteristics of the communicationbased on one or more frequency responses of one or more of the voicesignals of the communication.

In one or more embodiments, the system may include an analysis componentdetermining one or more frequency responses of one or more of the voicesignals of the communication. The fraud component may update a frequencylibrary with one or more of the frequency responses associated with theindividual. The monitoring component may filter noise from one or moresegments of the communication.

Although the subject matter has been described in language specific tostructural features or methodological acts, it is to be understood thatthe subject matter of the appended claims is not necessarily limited tothe specific features or acts described above. Rather, the specificfeatures and acts described above are disclosed as example embodiments.

Various operations of embodiments are provided herein. The order inwhich one or more or all of the operations are described should not beconstrued as to imply that these operations are necessarily orderdependent. Alternative ordering will be appreciated based on thisdescription. Further, not all operations may necessarily be present ineach embodiment provided herein.

As used in this application, “or” is intended to mean an inclusive “or”rather than an exclusive “or”. Further, an inclusive “or” may includeany combination thereof (e.g., A, B, or any combination thereof). Inaddition, “a” and “an” as used in this application are generallyconstrued to mean “one or more” unless specified otherwise or clear fromcontext to be directed to a singular form. Additionally, at least one ofA and B and/or the like generally means A or B or both A and B. Further,to the extent that “includes”, “having”, “has”, “with”, or variantsthereof are used in either the detailed description or the claims, suchterms are intended to be inclusive in a manner similar to the term“comprising”.

Further, unless specified otherwise, “first”, “second”, or the like arenot intended to imply a temporal aspect, a spatial aspect, an ordering,etc. Rather, such terms are merely used as identifiers, names, etc. forfeatures, elements, items, etc. For example, a first channel and asecond channel generally correspond to channel A and channel B or twodifferent or two identical channels or the same channel. Additionally,“comprising”, “comprises”, “including”, “includes”, or the likegenerally means comprising or including, but not limited to.

Although the disclosure has been shown and described with respect to oneor more implementations, equivalent alterations and modifications willoccur based on a reading and understanding of this specification and theannexed drawings. The disclosure includes all such modifications andalterations and is limited only by the scope of the following claims.

What is claimed is:
 1. A system for fraud detection, comprising: aprocessing unit that executes the following computer executablecomponents stored in a memory: a database component comprising: a voicelibrary comprising one or more voice samples of individuals deemed to befraudsters, and a pathway library comprising a set of characteristicspreviously identified as being associated with a fraudulentcommunication, the set of characteristics are associated with artifactsdetected during portions of the fraudulent communication that lack voicesignals; a monitoring component that receives a communication thatcomprises voice signals of an individual making requests related to afinancial account; a detection component that determines characteristicsassociated with the communication, the characteristics relate to atleast one artifact of the communication detected during a portionwithout a voice signal; an analysis component that determines if adifference between a first frequency of a first segment of thecommunication and a second frequency of a second segment of thecommunication is outside a frequency range provided by a frequencylibrary, wherein the first frequency is weighted more heavily than thesecond frequency based on a first type of communication segment assignedto the first segment and a second type of communication segment assignedto the second segment; and a fraud component that determines activityassociated with the financial account is fraudulent based on adetermination that the at least one detected artifact of thecommunication matches the artifacts detected during portions of thefraudulent communication and that the difference between the firstfrequency and the second frequency is outside of the frequency range. 2.The system of claim 1, wherein the analysis component determinesrespective frequency responses of the voice signals of thecommunication.
 3. The system of claim 2, wherein the fraud componentupdates the frequency library with one or more of the frequencyresponses associated with the individual based on the determination thatthe communication is the fraudulent communication.
 4. The system ofclaim 1, wherein the fraud component deems the activity associated withthe financial account is fraudulent based on a comparison between thevoice signals and at least one voice sample of the one or more of thevoice samples of the voice library.
 5. The system of claim 1, whereinthe activity deemed to be fraudulent for the financial account isdetermined at substantially the same time as the communication is inprocess.
 6. A method for fraud detection, comprising: receiving, by asystem comprising a processing unit, a communication that comprisesvoice signals of an individual making one or more requests related to anaccount; determining, by the system, an artifact of the communication,the artifact being detected during a portion of the communication voidof voice signals; analyzing, by the system, a frequency response of thevoice signals of the individual; applying, by the system, a first weightto a first frequency response of a first segment of the voice signalsbased on an identified communication type of the first segment, and asecond weight to a second frequency response of a second segment of thevoice signals based on another identified communication type of thesecond segment, wherein the first weight and the second weight aredifferent weights; determining, by the system, a frequency differencebetween a frequency response of the first segment of the voice signalsand the second segment of the voice signals; determining, by the system,the frequency difference exceeds a frequency threshold; determining, bythe system, the individual is engaging in fraudulent activity based on adetermination that the frequency difference exceeds the frequencythreshold and another determination that the artifact matches at leastone artifact previously identified as being associated with a fraudulentcommunication and retained in a pathway library; and updating, by thesystem, the pathway library to include the artifact of the communicationbased on the determination that the individual is engaging in fraudulentactivity.
 7. The method of claim 6, further comprises updating, by thesystem, a frequency library to include the frequency response associatedwith the individual based on the determination that the individual isengaging in fraudulent activity.
 8. The method of claim 6, furthercomprises determining, by the system, activity associated with theaccount is fraudulent based on a match between the voice signals and oneor more voice samples of a voice library.
 9. The method of claim 6,further comprises determining, by the system, activity associated withthe account is fraudulent based on a match between one or morecharacteristics associated with the communication and one or more setsof characteristics included in the pathway library.
 10. A system forfraud detection, comprising: a processing unit that executes thefollowing computer executable components stored in a memory: a databasecomponent comprising: a voice library comprising one or more voicesamples of individuals deemed to be fraudsters; and a pathway librarycomprising one or more sets of characteristics deemed to be associatedwith fraudulent communication; a monitoring component that receives acommunication that comprises voice signals of an individual making oneor more requests associated with an account; a detection component thatdetermines a set of characteristics associated with the communication, acharacteristic of the set of characteristics is an artifact identifiedin the absence of the voice signals; an analysis component that analyzesa frequency response of a plurality of test questions, wherein each ofthe plurality of test questions is associated with a different frequencythreshold and is associated with a different communication segment type;and a fraud component that indicates the communication is fraudulentbased on a determination that at least one frequency response of theplurality of test questions does not match an expected frequencyresponse for the respective communication segment type and that theartifact matches at least one artifact previously identified as beingassociated with a fraudulent communication and retained in the pathwaylibrary, the fraud component updates the voice library or the pathwaylibrary based on activity deemed to be fraudulent associated with theaccount.
 11. The system of claim 10, wherein the fraud component updatesthe voice library to include the voice signals based on a match betweenthe one or more characteristics associated with the communication andthe one or more sets characteristics of the pathway library.
 12. Thesystem of claim 10, wherein the fraud component updates the voicelibrary to include the voice signals based on one or more frequencyresponses of the one or more voice signals of the communication.
 13. Thesystem of claim 10, wherein the fraud component updates the pathwaylibrary to include the one or more characteristics of the communicationbased on a match between the one or more voice signals and the one ormore voice samples of the voice library.
 14. The system of claim 10,wherein the fraud component updates the pathway library to include theone or more characteristics of the communication based on one or morefrequency responses of the one or more voice signals of thecommunication.
 15. The system of claim 10, wherein the analysiscomponent determines one or more frequency responses of the one or morevoice signals of the communication.
 16. The system of claim 10, whereinthe fraud component updates a frequency library to include the frequencyresponse associated with the individual.
 17. The system of claim 10, themonitoring component filters noise from one or more segments of thecommunication.